Typically we have a production gateway with the production with the production database/PLC connections/tags, and then a development gateway with a dev DB, simulated PLC’s and tags relying on the simulations. Starting up another copy of the production gateway, while on the the VPN that has access to the database is the reason things started updating twice - you had two servers with the DB credentials running historian, your scripts, etc.
Imo there is almost no reason to ever start up a new copy of the production gateway, but ESPECIALLY while on the production network for the reasons you just described. The only reasons I ever go onto the production gateway are to push project changes, see logs for errors, or change configurations as needed - none of which require another instance.
Another reason I can think of is it might mess with your licensing - I am not exactly sure how it works but if both gateways can touch the internet and Ignition sees you have two servers using the same license, it might cause an issue - I am not 100% sure on this but I always tried to make sure it never came up as a potential issue.
Lastly, in the event you have scripts in your project that you only want to run on your production gateway but no other, I recommend this thread - Good way to make sure my gateway scripts only run on the server? - The gist - make JSON configuration files (I put them either inside the ignition install or the user folder system) with information that would be something like
{"environment":"PROD"} or {"environmnet":"DEV"}. This will only help you conditionally filter gateway/client scripts you only want to run on your production server though, but this would not solve your initial issue of double saving to a prod database.
All this is to say, make a new development gateway with it’s own separate db/plc connections etc so that even if it is opened up while on the VPN, you won’t have this issue.